Wednesday, June 11, 2014


What do your personal credit card data and Morty’s backseat grocery bags have in common?

by Larry Geller

First, thanks to Ian Lind for his kind words and for also highlighting the issue of the Star-Advertiser’s response to the reported use of their subscriber data in at least two cases of identity theft. Ian’s article helps get the word out about the need for adequate protection of personal data entrusted to any organization.

I went down to Circuit Court Monday morning to observe the arraignment of one of the alleged ID thieves. It was actually a waste of time as it didn’t reveal any new information. The accused is read a summary of the indictment and pleads not guilty. So afterwards I went over to the records room and made copies of the documents for each of the accused.

Each one is charged with using the name of a single person repeatedly to make purchases. Each alleged purchase becomes one count in the indictment. The name of the person whose identity was used is given, and the injured party is First Hawaiian Bank—in other words, the loss was theirs.

But nowhere is there any mention of Star-Advertiser data, and there shouldn’t be. The alleged thieves are the ones charged for what they allegedly did. That’s it.

So what about your personal data? What about my data?

Past Hawaii data breach situations have shown that there is little incentive for an organization to improve its security procedures unless there is public pressure, including, perhaps, civil action.

But if there is ID theft, hasn’t a crime been committed” Who’s responsible?

Actually, those are two different questions.

Let me suggest an analogy. It’s imperfect, but I’ll try and tidy it up afterwards.

Morty’s groceries

Just as in Hawaii, cars in New York City are often broken into if valuables are left in plain sight. Even leaving an empty GPS mount on the dashboard could lead to trouble, hence the use by many drivers of “bean-bag” style mounts that can be hidden away along with the GPS unit when the car is parked.

So let’s say Morty parks his car somewhere in Brooklyn. On the back seat he leaves three big paper bags of groceries. He then walks away for a short time, leaving the windows open, to buy himself an egg cream.

Yup, for sure, when he returns minutes later, the grocery bags are gone. Count on it.

Heck, we used to say that if you dropped a quarter from your purse in certain parts of the city, it would never hit the sidewalk.

Now, the person or persons who took the grocery bags are thieves. If a cop happened by, they’d be arrested (or, um, they might share…) (but that’s another analogy, not this one).

But what about the person who left the bags in the car with the windows open? Do it again, the bags will be taken again. Doesn’t the car owner bear some responsibility?

His mom: “Morty, I raised ya wrong. Yer an idiot. If ya leave your goods in yer car, yer an idiot, and to leave the windows open too! If yer father wuz still alive he’d disown you, if he hadn’t been such an idiot himself.”

No one will arrest Morty for leaving the groceries in the back seat. He did not commit a crime. It could almost be said that he gave the groceries away, because he should have known what would happen.

Now, to fix this up a bit. Suppose Morty left someone else’s things on the back seat of the car, with the windows open, or even closed?

If those things are taken, and with the windows down they will be, it will be up to the person who trusted Morty to go after Morty for compensation. The owner can claim that Morty was expected to take reasonable precautions to protect those things 

Maybe he left groceries on the back seat and the valuables in the trunk, but the thieves naturally popped open the trunk as long as they were in the car, why not?

So the person suffering the loss goes after the person who allegedly failed to take appropriate precautions, in a civil action.

That’s what transpired when the University of Hawaii repeatedly failed to properly protect personal data entrusted to it. Someone who was damaged by the theft became the plaintiff in a case that was certified as a class action on behalf of all of those affected.

“The settlement is historic for several reasons,” said Thomas Grande, who also represents the class. “First, this is the largest class case filed or settled in Hawai'i. It also is the first data breach settlement in Hawai'i,” Grande noted.

[UH settles lawsuit, will provide credit monitoring to those affected by five data breaches, 1/26/2012]

So far, in these two arrests, First Hawaiian Bank appears to be the only injured party, at least according to the court papers. So far.

We of course don’t know if they even called the newspaper to chastise them. We know nothing.

One media report suggested that a box of Star-Advertiser data is out there somewhere, perhaps yet to be used, who knows.

Police sources say the two women are part of a large theft ring that has targeted subscribers of the Star Advertiser.

The paper's storage unit was burglarized and at least one banker box was taken.  The box contained account information for hundreds of customers.

Police say the information was used to make fake credit cards. 

[Hawaii News Now, Honolulu Star-Advertiser victim of thieves, customer accounts stolen, 6/5/2014]

If no further ID thefts take place, great.

If there are more incidents, it will likely take a civil case to recover damages.

As to convincing this or any other organization to improve its security practices, that will be up to its customers, whether advertisers or subscribers. One could simply pay cash for a subscription, for example, or choose not to renew. But individual acts will not likely bring about a change in behavior.

There may be other federal or state laws out there that I’m not familiar with, and for educational purposes, I’d love to learn about them. As attorney Tom Grande noted, his was the first data breach settlement in Hawaii. We may simply be behind the rest of the country, who knows.

In closing, I have to say that in the absence of any clarification from the Star-Advertiser, I don’t know if any of my personal information was in the box referred to in the reports. That’s troubling, and my only recourse at this point is to pay more careful attention to my credit card statements.


The analogy was good. It made the concept clear. Thank you.

Post a Comment

Requiring those Captcha codes at least temporarily, in the hopes that it quells the flood of comment spam I've been receiving.

<< Home


page is powered by Blogger. Isn't yours?

Newer›  ‹Older